This publication updates in February/August · 2018. 9. 1. · This manual is designed with group health care plan sponsors in mind, and includes the HIPAA regu- lations, sample forms,

This publication updates inFebruary/August

19-M (9214)

Copyright 2018

J. J. Keller & Associates, Inc.3003 Breezewood Lane

P.O. Box 368Neenah, Wisconsin 54957-0368

Phone: (800) 327-6868Fax: (800) 727-7516

JJKeller.com

Library of Congress Catalog Card Number: 2003114412

ISBN 978-1-61099-428-6

All rights reserved. Neither the publication nor any part thereofmay be reproduced in any manner without written permission ofthe Publisher. United States laws and Federal regulations pub-lished as promulgated are in public domain. However, theircompilation and arrangement along with other materials in thispublication are subject to the copyright notice.

Printed in the U.S.A.

HIPAA Essentials

ii 2/18

Original content is the copyrighted property of J. J. Keller & Associates, Inc.

Introduction

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes provisions for porta-bility, nondiscrimination, and privacy of individually identifiable health information. These standardscreated the first-ever national standards to protect the confidentiality of an individual's protected healthinformation (PHI).

The portability and nondiscrimination provisions allow employees to move from one company to anotherwithout risking the loss of health care coverage, and prohibit employers from using health status as areason for denying benefits. These provisions are governed by the Department of Labor's EmployeeBenefits Security Administration.

Developed by the U.S. Department of Health and Human Services (HHS), the privacy rules provideindividuals with access to their medical records, more control over how their PHI is used and disclosed,and the right to examine and obtain a copy of their own health records, and request correction. Inaddition, it generally limits release of information to the minimum reasonably needed for the purpose ofthe disclosure. Before the privacy rule took effect, PHI generally could be distributed, without eitherconsent or authorization, for reasons that had nothing to do with an individual's medical treatment orpayment.

This manual is designed with group health care plan sponsors in mind, and includes the HIPAA regu-lations, sample forms, and other documents, along with an index for easier access to information.

Revision bars, like the one at the left of this paragraph, are used in this publication to show wheresignificant changes were made on update pages. They also indicate updates to tables of contents. Therevision bar next to text on a page indicates that the text was revised. The date at the bottom of the pagetells you when the revised page was issued.

Due to the constantly changing nature of government regulations, it is impossible to guarantee absoluteaccuracy of the material contained herein. The Publisher and Editors, therefore, cannot assume anyresponsibility for omissions, errors, misprinting, or ambiguity contained within this publication and shallnot be held liable in any degree for any loss or injury caused by such omission, error, misprinting, orambiguity presented in this publication.

This publication is designed to provide reasonably accurate and authoritative information in regard tothe subject matter covered. It is sold with the understanding that the Publisher is not engaged inrendering legal, accounting, or other professional service. If legal advice or other expert assistance isrequired, the services of a competent professional person should be sought.

The Editors & PublisherJ. J. Keller & Associates, Inc.

HIPAA Essentials

2/18 iii


Published & Printed by

J. J. Keller & Associates, Inc.3003 Breezewood Lane, P.O. Box 368Neenah, Wisconsin 54957-0368Phone: (800) 327-6868Fax: (800) 727-7516JJKeller.com

EDITORIAL

vice president of editorial & consulting services STEVEN G. MURRAYdirector of editorial resources PAUL V. ARNOLD

project editor DARLENE M. CLABAULT, SHRM-CP, PHReditorial manager – human resources EDWIN J. ZALEWSKI, SHRM-CP, PHR

editor – human resources TERRI DOUGHERTY, SHRM-CP, PHReditor – human resources KATHERINE E. LOEHRKE, SHRM-CP, PHR

associate editor MICHAEL P. HENCKELassociate editor ANN POTRATZ

sr. metator/xml analyst MARY K. FLANAGAN

PUBLISHING GROUP

chairman ROBERT L. KELLERvice chairman & treasurer JAMES J. KELLER

president & ceo MARNE L. KELLER-KRIKAVAevp & chief operating officer RUSTIN R. KELLER

chief financial officer DANA S. GILMANsr. director of product development CAROL A. O'HERNsr. product development manager JENNIFER M. JUNGsr. product development specialist SUZANNE IHRIG

product development specialist JOSLYN B. SIEWERTdirector of manufacturing TODD J. LUEKE

sr. electronic publishing & prepress manager GERALD L. SABATKE

The Editorial Staff is available to provide information generally associated with this publication to anormal and reasonable extent, and at the option of, and as a courtesy of, the Publisher.

HIPAA Essentials

iv 2/18


PrivacyIntroduction and Background

IntroductionMedical privacy is needed for adequate health careRegulatory backgroundWhat does HIPAA do?What does HIPAA not do?Rules on medical record use and releaseHow information is to be safeguardedReasonable safeguardsAdministrative overheadAdministrative simplificationDoes HIPAA apply?How does HIPAA affect the average employer?Covered entityEmployer’s actionsIs the use of specific technologies required?Are paper records covered?Hybrid entitiesExisting state lawsWhat to doFAQsIntroduction and background checklist

AssessmentCovered entitiesMore specifics on health care plansExemptionsCovered functionsEmployer vs. sponsor

Table of Contents

HIPAA Essentials

2/18 v


Plan vs. sponsorWorkforceProtected health informationIdentify business associatesOther activitiesFAQsAssessment checklist

Effects on Health Care PlansAssessmentPlan documentsPlansPlan amendmentsUse and disclosurePrivacy of wellness programsCertificationFirewallsMinimum necessarySummary health informationDe-identified informationInformation flow without PHIFAQsEffects on health care plans checklist

Effects on Non-Covered EntitiesHealth care providerHealth careThe U.S. Department of TransportationApplicationsEmployment examsWritten noticeWorkers’ compensationEmployer’s responseCovered entitiesFAQsEffects on non-covered entities checklist

Privacy OfficialQualificationsResponsibility for privacy noticeTrainingJob descriptionDocumentationSeparate locationsFAQsPrivacy official checklist

Protected Health Information (PHI)OverviewWhat is PHI?Individually identifiable PHI

HIPAA Essentials

vi 2/18


Required PHI disclosuresPermitted PHI disclosures without authorizationOther uses and disclosuresCommunicable diseasesEmergency situationsOSHA and whistleblower complaintsWorkers’ compensationMinimum necessary requirementWhat information is NOT protected?Consents and authorizationsWhat must be in an authorization?Releases of de-identified informationFTC ActSummary health informationMarketingSale of PHIDisclosures to business associatesDisclosures to employers and other plan sponsorsDisclosures in emergenciesPHI disposalFAQsProtected health information (PHI) checklist

BreachesOverviewUnsecured PHINotification requirementsNotification by a business associateLaw enforcement delayAdministrative requirementsBreach penaltiesFAQsBreaches checklist

Business AssociatesBusiness associate definedExamples of business associatesBusiness associationPHI disclosureEPHI disclosureData aggregationWhen a business associate contract is neededLiabilityContract termsContract contentExceptionsReviewDocument retentionFAQsBusiness associates checklist

HIPAA Essentials

2/18 vii


Policies and ProceduresGetting startedDigging deeperGaining inputPrivacy official ultimately responsibleBeyond requirementsDifferences between policies and proceduresWriting the policies and proceduresImplementing policies and proceduresDiscipline/sanctionHow to use the sample policies and procedures in referenceDocumentationFAQsPolicies and procedures checklist

NoticesAbout the noticeContent of the noticeRequired changes to privacy noticesProviding the noticeNotice reminderPlain languageDocumentationAction requiredResponsibility for privacy noticeFAQsNotices checklist

Employee InformationAccess to protected health informationProcedures for accessDenying accessRight to amendAccepting the amendmentDenying the amendmentAccounting of disclosures of PHIFAQsEmployee information checklist

TrainingTraining requiredWho needs to be trained?Who can train?Optional trainingPlan workforceManagers and supervisorsPrivacy officialGeneral employee populationTimeline for trainingFormat

HIPAA Essentials

viii 2/18


DocumentationFAQsTraining checklist

SecurityGeneral requirementsAdministrative safeguardsPhysical safeguardsTechnical safeguardsCyber extortionTelework and securityMobile technologyMaintenanceThird party application softwareOrganizational requirementsPolicies, procedures, and documentsFAQsSecurity checklist

Transactions and Code SetsTransactionsCode setsStandardsEDIEmployer identifierNational provider identifierHealth care reform’s changesHealth plan identifier (HPID)FAQs

EnforcementU.S. Department of Health and Human Services (HHS)State Attorneys GeneralInvestigation basicsEmployee complaintsInformal meansFormal meansCivil money penaltiesProcedural hearingsSubpoenasAuditsIn-house enforcementMitigationEnforcement activityFAQsEnforcement checklist

HIPAA Essentials

8/18 ix


PortabilityIntroduction

ApplicabilityFAQsIntroduction checklist

Special Enrollment RightsLoss of eligibility for coverageTime to request enrollment and when coverage beginsLate enrolleesFAQsSpecial enrollment rights checklist

Nondiscrimination and WellnessBasic premise of nondiscriminationGenetic Information Nondiscrimination Act (GINA)Source-of-injury exclusionsNon-confinement clausesActively-at-work rulesDiscrimination in premiums or contributionsExceptions for wellness programsHIPAA wellness program checklistFAQsNondiscrimination and wellness checklist

EnforcementDOL enforcementComplaintsInvestigationsComplianceIRS enforcementStatesFAQsEnforcement checklist

ReferenceRegulations

29 CFR Part 2590 rules and regulations for group health plans45 CFR Part 146—Requirements for the group health insurance market

Glossary

Samples

Policy Plain Language

Contacts

Interaction With Other LawsCOBRAFMLAADA

HIPAA Essentials

x 8/18


GINAAffordable Care ActMedicareFair Credit Reporting ActOccupational Safety and Health ActStates

State Information

Index

HIPAA Essentials

8/18 xi


Encryption is a method of converting an original message of regular textinto encoded or unreadable text that is eventually decrypted into plaincomprehensible text.

There are various types of encryption technology available. For anencryption strategy to be successful, you must consider many factors. Forexample, for encryption technologies to work properly when data is beingtransmitted, both the sender and the receiver must be using the same orcompatible technology.

Organizations use open networks such as the Internet and e-mail systemsdifferently. Currently no single interoperable encryption solution for com-municating over open networks exists. Adopting a single industry-wideencryption standard in the security rule would likely have placed too higha financial and technical burden on many organizations. The security ruleallows you the flexibility to determine when, with whom, and whatmethod of encryption to use.

You should discuss reasonable and appropriate security measures for theencryption of EPHI during transmission over electronic communicationsnetworks with your IT professionals, vendors, business associates, andtrading partners.

If you deal with EPHI, you must consider the use of encryption fortransmitting it, particularly over the Internet. As business practices andtechnology change, situations may arise where EPHI being transmittedfrom you would be at significant risk of being accessed by unauthorizedentities. Where risk analysis shows such risk to be significant, you mustencrypt those transmissions under the addressable implementation speci-fication for encryption.

You may want to look at how you transmit EPHI and how often.

If your company does engage in such transmissions, here are some stepsand questions to get you started in compliance:

1. Identify any possible unauthorized sources that may be able to inter-cept and/or modify the information. Identify scenarios that may resultin modification to the EPHI by unauthorized sources during transmis-sion (e.g., hackers, disgruntled employees, business competitors).

• What measures exist to protect EPHI?

• What measures are planned to protect EPHI?

• Is there an auditing process in place?

• Is there assurance that information is not altered duringtransmission?

• Are there trained staff members to monitor transmissions?

Security

8/16 51


2. Develop a transmission security policy. Establish a formal (written)set of requirements for transmitting electronic protected health infor-mation.

• Have the requirements been discussed and agreed to by identifiedkey personnel involved in transmitting electronic healthinformation?

• Has a written policy been developed and communicated to systemusers?

3. Implement procedures for transmitting electronic health informationusing hardware/software if needed. Identify methods of transmissionthat will be used to protect electronic health information; and any toolsand techniques that will be used to support the transmission securitypolicy.

• Is encryption needed to effectively protect the information?

• Is encryption feasible and cost effective in this environment?

• Are staff members skilled in the use of encryption?

For example, a benefits office has decided to use theInternet to transmit plan participant data to a supportvendor for backup and contingency operations. Thetransmission of this data should be protected fromdisclosure. No one who is not authorized to read thefile should be able to monitor the transmission andcapture the information during its transmission. Thebenefits office has decided to design and implement aweb application, which enforces the use of strongencryption methods to prevent unauthorized disclo-sure of the data during transmission.

With the constant upsurge of security breaches that involve cyber attacksand as required by the HIPAA security rule, you should have securityincident response capabilities established. Although effective incidentresponse planning can be a complex task, it should be one of yourpriorities.

When establishing incident response capabilities, you should consider thefollowing:

Developing incident response policies, plans, and procedures

An incident response policy assists in having a proper, concentrated, andcoordinated approach to responding to incidents. The incident responseplan should provide a roadmap for implementing your incident responsecapabilities. The plan should also meet your distinctive requirements that

Security

Incident response

52 8/16


relate to your mission, sizes, structures, and functions, and identify thenecessary resources and management support. Incident response policiesand plans should be approved by management and reviewed on an annualbasis.

The incident response procedures should be based on the incidentresponse policy and plan. Incident response procedures are outlines of thespecific technical processes, tools, techniques, and forms that are utilizednot only by the incident response team, but also by staff who need to reportan incident. These procedures should include your processes for:

• Preparing for incidents;

• Detecting and analyzing incidents;

• Containing, eradicating and recovering from incidents; and

• Conducting post-incident activities and reviews.

Building relationships and setting up plans for communicating withinternal and external parties regarding incidents

Building relationships and lines of communication between the incidentresponse team and other groups, both internal and external, can be chal-lenging. Plan the communication with these groups before an incidentoccurs.

Before establishing incident response policies and procedures, the inci-dent response team should first develop relationships and lines ofcommunication with internal groups within its organization, such as the ITdepartment, public affairs office, legal department, internal law enforce-ment, and management.

Also, the incident response team should discuss with your public affairsoffice, legal department, and management about sharing information withexternal groups. You are often required to communicate with externalparties regarding an incident and should comply whenever applicable.External parties could consist of federal agencies, law enforcement,media, internet service providers (ISPs), vendors, or other incidentresponse teams.

Staffing and training

Staff your incident response team with people who have the appropriateskillsets. These skills could include network administration, program-ming, technical support, intrusion detection, and CyberSecurity forensicanalysis; team members should also possess teamwork and communica-tion skills.

Furthermore, incident response team and staff members should be pro-vided with the necessary training to be effective in their roles, and to carryout their responsibilities during an incident or when an incident is sus-pected.

Security

8/17 52A


Experienced a ransomware attack or other cyber-related security incident?This Cyber-Attack Quick Response guide will explain steps that you should take to respond.

All breaches must be reported to the affected individuals no later than 60 days from occurence. If the breach affects 500 or more individuals, you must report to OCR and the media as soon as possible, but no later than 60 days from

the occurence. If the breach affects fewer than 500 individuals, you must report to OCR no later than 60 days

after the calendar year of the breach.

Cyber-AttackQuick Response

You must document and retain all information considered during the risk assessment of the

cyber-attack, including how you determined no breach occurred.

If NOIs there a breach?If YES

Execute response and mitigation procedures, and contingency

plans.RESPOND

Report the crime to criminal law enforcement agencies.

REPORT CRIME

Report all cyber threat indicators to the appropriate federal agencies

and ISAOsREPORT THREAT

Assess the incident to determine if there is a breach of protected

health information.ASSESS BREACH

ISAO = Information-sharing and analysis organizations, such as theDepartment of Homeland Security, the HHS Assistant Secretary forPreparedness and Response, and private-sector cyber-threat ISAOs.

To keep pace with the speed and stealth that cyber adversaries move, alltypes of organizations, including those beyond traditional critical infra-structure sectors, need to be able to share and respond to cyber risk in asclose to real-time as possible. Organizations engaged in informationsharing related to cybersecurity risks and incidents play an invaluable rolein the collective cybersecurity of the U.S. Many companies, however,have found it challenging to develop effective information sharingorganizations—or ISAOs. In response, President Obama issued the 2015

Security

52B 8/17


Executive Order 13691 directing the Department of Homeland Security(DHS) to encourage the development of ISAOs.

In responding to a cyber-attack, for example, you should immediately fixany technical or other problems to stop the incident. You should also takesteps to mitigate any impermissible disclosure of PHI, which may be doneby your own technology staff, or by an outside vendor brought in to help(the vendor would be a business associate if it has access to PHI for thatpurpose).

Reporting the crime to other law enforcement agencies may include stateor local law enforcement, the FBI, and/or the Secret Service. Any suchreports should not include PHI, unless otherwise permitted by the HIPAAprivacy rule. If a law enforcement official tells you that any potentialbreach report would impede a criminal investigation or harm nationalsecurity, you must delay reporting a breach for the time the law enforce-ment official requests in writing, or for 30 days, if the request is madeorally.

Report all cyber threat indicators to federal and information-sharing andanalysis organizations (ISAOs), including the Department of HomelandSecurity, the HHS Assistant Secretary for Preparedness and Response,and private-sector cyber-threat ISAOs. Any such reports should notinclude PHI. OCR does not receive such reports from its federal or HHSpartners.

Report the breach to OCR as soon as possible, but no later than 60 daysafter the discovery of a breach affecting 500 or more individuals, andnotify affected individuals and the media unless a law enforcement officialhas requested a delay in the reporting. OCR presumes all cyber-relatedsecurity incidents where protected health information was accessed,acquired, used, or disclosed are reportable breaches unless the informa-tion was encrypted by you at the time of the incident or you determine,through a written risk assessment, that there was a low probability that theinformation was compromised during the breach. If you discover a breachaffecting fewer than 500 individuals, you must notify individuals withoutunreasonable delay, but no later than 60 days after discovery; and OCRwithin 60 days after the end of the calendar year in which the breach wasdiscovered.

OCR considers all mitigation efforts taken by you during in any particularbreach investigation. Such efforts include voluntary sharing of breach-related information with law enforcement agencies and other federal andanalysis organizations as described above.

Cyber extortion can take many forms, but it typically involves cyber-criminals’ demanding money to stop (or in some cases, to merely delay)their malicious activities, which often include stealing sensitive data or

Security

Cyber extortion

8/18 52C


disrupting computer services. Organizations that provide necessary ser-vices or maintain sensitive data are often the targets of cyber extortionattacks.

Ransomware is a form of cyber extortion whereby the attackers deploymalware targeting an organization’s data that renderers the data inacces-sible, typically by encryption. The encryption key must be obtained fromthe ransomware attackers to decrypt the data. The ransomware attackersdemand payment, often in the form of cryptocurrency (e.g., Bitcoin) forthat decryption key. Unfortunately, paying ransom to the attackers maynot result in an organization getting its data back. Or, once an organizationpays the ransom, the attackers may provide a key to only decrypt a portionof the data and ask for additional ransom to decrypt more data.

Additional examples of cyber extortion include Denial of Service (DoS)and Distributed Denial of Service (DDoS) attacks. These types of attackstypically direct such a high volume of network traffic to targeted com-puters that the affected computers cannot respond and may appear downor otherwise inaccessible to legitimate users. In this type of attack, anattacker may initiate a DoS or DDoS attack against an organization anddemand payment to halt the attack, or the attacker could threaten an attackand demand payment to not initiate the attack.

Another type of cyber extortion occurs when an attacker gains access toan organization’s computer system, steals sensitive data from the organi-zation, and then threatens to publish that data. The attacker uses the threatof publicly exposing an organization’s sensitive data, which could includePHI, to coerce payment. In this type of attack, the attacker already has theorganization’s data and can sell that data to other malicious persons evenafter the ransom is paid.

A variation of this type of attack occurs when an attacker steals sensitivedata from an organization and then deletes that data from the organiza-tion’s computers. The attackers then contact the organization informingthem that its data has been deleted, but will be returned in exchange forpayment. Again, payment of the ransom is no guarantee that an organi-zation will get its data back. In fact, there have been instances where oneattacker has stolen and deleted an organization’s data while leaving ademand for payment only to have a second attacker gain access to thesame computer system and overwrite the payment demand of the firstattacker. In this circumstance, the second attacker didn’t even have thedata, so the organization has no chance of retrieving data from the secondattacker.

Although cyber attackers constantly create new versions of malicioussoftware and search for new vulnerabilities to exploit, organizations mustcontinue to be vigilant in their efforts to combat cyber extortion. Examplesof activities that might help reduce the chances of being a victim of cyberextortion include:

Security

52D 8/18


• Implementing a robust risk analysis and risk management programthat identifies and addresses cyber risks holistically, throughout theentire organization;

• Implementing robust inventory and vulnerability identification pro-cesses to ensure accuracy and thoroughness of the risk analysis;

• Training employees to better identify suspicious emails and othermessaging technologies that could introduce malicious software intothe organization;

• Deploying proactive anti-malware solutions to identify and preventmalicious software intrusions;

• Patching systems to fix known vulnerabilities that could be exploitedby attackers or malicious software;

• Hardening internal network defenses and limiting internal networkaccess to deny or slow the lateral movement of an attacker and/orpropagation of malicious software;

• Implementing and testing robust contingency and disaster recoveryplans to ensure the organization is capable and ready to recover froma cyber-attack;

• Encrypting and backing up sensitive data;

• Implementing robust audit logs and reviewing such logs regularly forsuspicious activity; and

• Remaining vigilant for new and emerging cyber threats and vulner-abilities (for example, by receiving US-CERT alerts and participatingin information sharing organizations.

A recent U.S. Government interagency report indicates that, on average,there have been 4,000 daily ransomware attacks since early 2016 (a 300%increase over the 1,000 daily ransomware attacks reported in 2015).Ransomware exploits human and technical weaknesses to gain access toan organization’s technical infrastructure in order to deny the organizationaccess to its own data by encrypting that data. However, there are mea-sures known to be effective to prevent the introduction of ransomware andto recover from a ransomware attack. HIPAA plays a role in assisting toprevent and recover from ransomware attacks, including how HIPAAbreach notification processes should be managed in response to aransomware attack.

Ransomware is a type of malware (malicious software) distinct from othermalware; its defining characteristic is that it attempts to deny access to auser’s data, usually by encrypting the data with a key known only to thehacker who deployed the malware, until a ransom is paid. After the user’sdata is encrypted, the ransomware directs the user to pay the ransom to the

Security

Ransomware

8/18 52E


hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive adecryption key. However, hackers may deploy ransomware that alsodestroys or exfiltrates (the unauthorized transfer of information from aninformation system) data, or ransomware in conjunction with other mal-ware that does so.

HIPAA compliance helps covered entities and business associates preventinfections of malware, including ransomware. The HIPAA security rulerequires implementation of security measures that can help prevent theintroduction of malware, including ransomware. Some of these requiredsecurity measures include:

• Implementing a security management process, which includes con-ducting a risk analysis to identify threats and vulnerabilities to ePHIand implementing security measures to mitigate or remediate thoseidentified risks;

• Implementing procedures to guard against and detect malicioussoftware;

• Training users on malicious software protection so they can assist indetecting malicious software and know how to report such detections;and

• Implementing access controls to limit access to ePHI to only thosepersons or software programs requiring access.

The security management process standard of the security rule includesrequirements for all covered entities and business associates to conduct anaccurate and thorough risk analysis of the potential risks and vulnerabili-ties to the confidentiality, integrity, and availability of all of the ePHIcreated, received, maintained, or transmitted and to implement securitymeasures sufficient to reduce those identified risks and vulnerabilities toa reasonable and appropriate level. It is expected that you will use thisprocess of risk analysis and risk management not only to satisfy thespecific standards and implementation specifications of the security rule,but also when implementing security measures to reduce the particularrisks and vulnerabilities to ePHI throughout your organization’s entireenterprise, identified as a result of an accurate and thorough risk analysis,to a reasonable and appropriate level.

For example, although there is a not a security rule standard or imple-mentation specification that specifically and expressly requires you toupdate the firmware (computer programs and data stored in hardware suchthat the programs and data cannot be dynamically written or modifiedduring execution of the programs) of network devices, as part of your riskanalysis and risk management process, you should, as appropriate, iden-tify and address the risks to ePHI of using networks devices running onobsolete firmware, especially when firmware updates are available toremediate known security vulnerabilities.

Security

52F 8/18


In general, moreover, the security rule simply establishes a floor, orminimum requirements, for the security of ePHI; you are permitted (andencouraged) to implement additional and/or more stringent security mea-sures above what is required by security rule standards.

HIPAAcompliance also helps recover from infections of malware, includ-ing ransomware. The HIPAA security rule requires you to implementpolicies and procedures that can assist in responding to and recoveringfrom a ransomware attack.

Because ransomware denies access to data, maintaining frequent backupsand ensuring the ability to recover data from backups is crucial to recov-ering from a ransomware attack. Test restorations should be periodicallyconducted to verify the integrity of backed up data and provide confidencein an organization’s data restoration capabilities. Because someransomware variants have been known to remove or otherwise disruptonline backups, you should consider maintaining backups offline andunavailable from your networks.

Implementing a data backup plan is a security rule requirement as part ofmaintaining an overall contingency plan. Additional activities that mustbe included as part of your contingency plan include disaster recoveryplanning, emergency operations planning, analyzing the criticality ofapplications and data to ensure all necessary applications and data areaccounted for, and periodic testing of contingency plans to ensure orga-nizational readiness to execute such plans and provide confidence theywill be effective.

During the course of responding to a ransomware attack, you may find itnecessary to activate your contingency or business continuity plans. Onceactivated, you will be able to continue your business operations whilecontinuing to respond to and recover from a ransomware attack. Main-taining confidence in contingency plans and data recovery is critical foreffective incident response, whether the incident is a ransomware attack orfire or natural disaster.

Security incident procedures, including procedures for responding to andreporting security incidents, are also required by HIPAA. Your securityincident procedures should prepare you to respond to various types ofsecurity incidents, including ransomware attacks. Robust security inci-dent procedures for responding to a ransomware attack should includeprocesses to:

• Detect and conduct an initial analysis of the ransomware;

• Contain the impact and propagation of the ransomware;

• Eradicate the instances of ransomware and mitigate or remediatevulnerabilities that permitted the ransomware attack and propagation;

• Recover from the ransomware attack by restoring data lost during theattack and returning to “business as usual” operations; and

Security

8/18 52G


• Conduct post-incident activities, which could include a deeper analy-sis of the evidence to determine if you have any regulatory, contractualor other obligations as a result of the incident (such as providingnotification of a breach of protected health information), and incor-porating any lessons learned into the overall security managementprocess to improve incident response effectiveness for future securityincidents.

Unless ransomware is detected and propagation halted by your malicioussoftware protection or other security measures, you would typically bealerted to the presence of ransomware only after the ransomware hasencrypted the user’s data and alerted the user to its presence to demandpayment. However, in some cases, your workforce may notice earlyindications of a ransomware attack that has evaded your security mea-sures.

HIPAA’s requirement that your workforce receive appropriate securitytraining, including training for detecting and reporting instances of mali-cious software, can thus assist you in preparing your staff to detect andrespond to ransomware. Indicators of a ransomware attack could include:

• A user’s realization that a link that was clicked on, a file attachmentopened, or a website visited may have been malicious in nature;

• An increase in activity in the central processing unit (CPU) of acomputer and disk activity for no apparent reason (due to theransomware searching for, encrypting and removing data files);

• An inability to access certain files as the ransomware encrypts, deletesand re-names and/or re-locates data; and

• Detection of suspicious network communications between theransomware and the attackers’ command and control server(s) (thiswould most likely be detected by IT personnel via an intrusiondetection or similar solution).

If you believe that a ransomware attack is underway, either because ofindicators similar to those above or other methods of detection, youshould immediately activate your security incident response plan, whichshould include measures to isolate the infected computer systems in orderto halt propagation of the attack.

Additionally, it is recommended that if you are infected with ransomware,that you contact your local FBI or United States Secret Service field office.These agencies work with federal, state, local and international partners topursue cyber criminals globally and assist victims of cybercrime.

You should take some steps if your computer systems are infected withransomware. The presence of ransomware (or any malware) on yourcomputer systems is a security incident under the HIPAA security rule. Asecurity incident is defined as the attempted or successful unauthorizedaccess, use, disclosure, modification, or destruction of information or

Security

52H 8/18


interference with system operations in an information system. Once theransomware is detected, you must initiate your security incident andresponse and reporting procedures.

You are required to develop and implement security incident proceduresand response and reporting processes that you believe are reasonable andappropriate to respond to malware and other security incidents, includingransomware attacks.

Your security incident response activities should begin with an initialanalysis to:

• Determine the scope of the incident to identify what networks, sys-tems, or applications are affected;

• Determine the origination of the incident (who/what/where/when);

• Determine whether the incident is finished, is ongoing or has propa-gated additional incidents throughout the environment; and

• Determine how the incident occurred (e.g., tools and attack methodsused, vulnerabilities exploited).

These initial steps should assist in prioritizing subsequent incidentresponse activities and serve as a foundation for conducting a deeperanalysis of the incident and its impact. Subsequent security incidentresponse activities should include steps to:

• Contain the impact and propagation of the ransomware;

• Eradicate the instances of ransomware and mitigate or remediatevulnerabilities that permitted the ransomware attack and propagation;

• Recover from the ransomware attack by restoring data lost during theattack and returning to “business as usual” operations; and

• Conduct post-incident activities, which could include a deeper analy-sis of the evidence to determine if you have any regulatory, contractualor other obligations as a result of the incident (such as providingnotification of a breach of protected health information), and incor-porating any lessons learned into the overall security managementprocess to improve incident response effectiveness for future securityincidents.

Part of a deeper analysis should involve assessing whether or not therewas a breach of PHI as a result of the security incident. The presence ofransomware (or any malware) is a security incident under HIPAA thatmay also result in an impermissible disclosure of PHI in violation of theprivacy rule and a breach, depending on the facts and circumstances of theattack.

If ransomware infects a computer system, the infection could be a HIPAAbreach. Whether or not the presence of ransomware would be a breach isa fact-specific determination. A breach under the HIPAA rules is definedas, “…the acquisition, access, use, or disclosure of PHI in a manner not

Security

8/18 52I


permitted under the [HIPAA privacy rule] which compromises the secu-rity or privacy of the PHI.”

When ePHI is encrypted as the result of a ransomware attack, a breach hasoccurred because the ePHI encrypted by the ransomware was acquired(i.e., unauthorized individuals have taken possession or control of theinformation), and thus is a “disclosure” not permitted under the HIPAAprivacy rule.

Unless you can demonstrate that there is a “…low probability that the PHIhas been compromised,” based on the factors set forth in the breachnotification rule, a breach of PHI is presumed to have occurred. You mustthen comply with the applicable breach notification provisions, includingnotification to affected individuals without unreasonable delay, to theSecretary of HHS, and to the media (for breaches affecting over 500individuals) in accordance with HIPAA breach notification requirements.

You can demonstrate “…that there is a low probability that the PHI hasbeen compromised” such that breach notification would not be requiredby performing a risk assessment considering at least the following fourfactors:

1. The nature and extent of the PHI involved, including the types ofidentifiers and the likelihood of re-identification;

2. The unauthorized person who used the PHI or to whom the disclosurewas made;

3. Whether the PHI was actually acquired or viewed; and

4. The extent to which the risk to the PHI has been mitigated.

Athorough and accurate evaluation of the evidence acquired and analyzedas a result of security incident response activities could help with the riskassessment process by revealing, for example: the exact type and variantof malware discovered; the algorithmic steps undertaken by the malware;communications, including exfiltration attempts between the malwareand attackers’ command and control servers; and whether or not themalware propagated to other systems, potentially affecting additionalsources of electronic PHI (ePHI). Correctly identifying the malwareinvolved can help determine what algorithmic steps the malware is pro-grammed to perform. Understanding what a particular strain of malwareis programmed to do can help determine how or if a particular malwarevariant may laterally propagate throughout your enterprise, what types ofdata the malware is searching for, whether or not the malware may attemptto exfiltrate data, or whether or not the malware deposits hidden malicioussoftware or exploits vulnerabilities to provide future unauthorized access,among other factors.

Although you are required to consider the four factors listed above inconducting risk assessments to determine whether there is a low prob-ability of compromise of the ePHI, you are encouraged to consider

Security

52J 8/18


additional factors, as needed, to appropriately evaluate the risk that thePHI has been compromised. If, for example, there is high risk of unavail-ability of the data, or high risk to the integrity of the data, such additionalfactors may indicate compromise. In those cases, you must providenotification to individuals without unreasonable delay.

Additionally, with respect to considering the extent to which the risk toPHI has been mitigated (the fourth factor) where ransomware hasaccessed PHI, you may wish to consider the impact of the ransomware onthe integrity of the PHI. Frequently, ransomware, after encrypting the datait was seeking, deletes the original data and leaves only the data inencrypted form. You may be able to show mitigation of the impact of aransomware attack affecting the integrity of PHI through the implemen-tation of robust contingency plans including disaster recovery and databackup plans. Conducting frequent backups and ensuring the ability torecover data from backups is crucial to recovering from a ransomwareattack and ensuring the integrity of PHI affected by ransomware. Testrestorations should be periodically conducted to verify the integrity ofbacked up data and provide confidence in an organization’s data restora-tion capabilities. Integrity to PHI data is only one aspect when consideringto what extent the risk to PHI has been mitigated. Additional aspects,including whether or not PHI has been exfiltrated, should also be consid-ered when determining the extent to which the risk to PHI has beenmitigated.

The risk assessment to determine whether there is a low probability ofcompromise of the PHI must be thorough, completed in good faith andreach conclusions that are reasonable given the circumstances. Further-more, you must maintain supporting documentation sufficient to meetyour burden of proof regarding the breach assessment — and if appli-cable, notification — process including:

• Documentation of the risk assessment demonstrating the conclusionsreached;

• Documentation of any exceptions determined to be applicable to theimpermissible use or disclosure of the PHI; and

• Documentation demonstrating that all notifications were made, if adetermination was made that the impermissible use or disclosure wasa reportable breach.

If the ePHI encrypted by the ransomware was already encrypted tocomply with HIPAA, a reportable breach might still be involved, as thisis a fact-specific determination. The HIPAAbreach notification provisionsapply to “unsecured PHI,” which is PHI that is not secured through the useof a technology or methodology specified by the Secretary in guidance. Ifthe ePHI is encrypted in a manner consistent with the guidance such thatit is no longer “unsecured PHI,” then you are not required to conduct a risk

Security

8/18 52K


assessment to determine if there is a low probability of compromise, andbreach notification is not required.

However, even if the PHI is encrypted in accordance with the HHSguidance, additional analysis may still be required to ensure that theencryption solution, as implemented, has rendered the affected PHIunreadable, unusable, and indecipherable to unauthorized persons. A fulldisk encryption solution may render the data on a computer system’s harddrive unreadable, unusable, and indecipherable to unauthorized personswhile the computer system (such as a laptop) is powered down. Once thecomputer system is powered on and the operating system is loaded,however, many full disk encryption solutions will transparently decryptand encrypt files accessed by the user.

For example, if a laptop encrypted with a full disk encryption solution ina manner consistent with HHS guidance is properly shut down andpowered off and then lost or stolen, the data on the laptop would beunreadable, unusable, and indecipherable to anyone other than the authen-ticated user. Because the PHI on the laptop is not “unsecured PHI,” youneed not perform a risk assessment to determine a low probability ofcompromise or provide breach notification.

In contrast to the above example, however, if the laptop is powered on andin use by an authenticated user, who then performs an action (clicks on alink to a malicious website, opens an attachment from a phishing email,etc.) that infects the laptop with ransomware, there could be a breach ofPHI. If full disk encryption is the only encryption solution in use to protectthe PHI and if the ransomware accesses the file containing the PHI, the filecontaining the PHI will be transparently decrypted by the full disk encryp-tion solution and access permitted with the same access levels granted tothe user.

Because the file containing the PHI was decrypted and thus “unsecuredPHI” at the point in time that the ransomware accessed the file, animpermissible disclosure of PHI was made and a breach is presumed.Under the HIPAA breach notification rule, notification is required unlessyou can demonstrate a low probability of compromise of the PHI based onthe four-factor risk assessment.

Phishing is a type of cyber-attack used to trick individuals into divulgingsensitive information via electronic communication by impersonating atrustworthy source. For example, an individual may receive an email ortext message informing the individual that their password may have beenhacked. The phishing email or text may then instruct the individual toclick on a link to reset their password.

In many instances, the link will direct the individual to a website imper-sonating an organization’s real web site (e.g., bank, government agency,

Security

Phishing

52L 8/18


email service, retail site) and ask for the individual's login credentials(username and password).

Once entered into the fake website, the third party that initiated thephishing attack will have the individual’s login credentials for that site andcan begin other malicious activity such as looking for sensitive informa-tion or using the individual’s email contact list to send more phishingattacks.

Alternatively, rather than capture login credentials, the link on the phish-ing message may download malicious software on to the individual’scomputer. Phishing messages could also include attachments, such as aspreadsheet or document, containing malicious software that executeswhen such attachments are opened.

Phishing is one of the primary methods used to distribute malicioussoftware, including ransomware.

Individuals must remain vigilant in their efforts to detect and not fall preyto phishing attacks because these attacks are becoming more sophisticatedand harder to detect. Phishing attacks take advantage of popular holidaysby impersonating messages from shipping vendors and ecommerce sites.Similarly, phishing attacks regarding tax refunds are common during taxseason (March and April).

A specific type of phishing attack, known as spear phishing, targetsspecific individuals within an organization. For example, a spear phishingattack could target an individual in the IT, accounting, or finance depart-ment of an organization by impersonating the individual’s supervisor anddirecting the individual to a malicious website or to download a filecontaining a malicious program. One of the primary methods of combat-ing phishing attacks of all kinds is through user awareness.

Tips to avoid becoming a victim of a phishing attack include:

• Be wary of unsolicited third-party messages seeking information. Ifyou are suspicious of an unsolicited message, call the business orperson that sent the message to verify that they sent it and that therequest is legitimate.

• Be wary of messages even from recognized sources. Messages fromcoworkers or a supervisor as well as messages from close relativesor friends could be sent from hacked accounts used to send phishingmessages.

• Be cautious when responding to messages sent by third parties.Contact information listed in phishing messages such as emailaddresses, web sites, and phone numbers could redirect you to themalicious party that sent the phishing message. When verifying thecontents of a message, use known good contact information or, for abusiness, the contact information provided on its web site.

Security

8/18 52M


• Be wary of clicking on links or downloading attachments from unso-licited messages. Phishing messages could include links directingpeople to malicious web sites or attachments that execute malicioussoftware when opened.

• Be wary of even official looking messages and links. Phishing mes-sages may direct you to fake web sites mimicking real websites usingweb site names that appear to be official, but which may containintentional typos to trick individuals. For example, a phishing attackmay direct someone to a fake website that uses 1’s (ones) instead ofl’s (i.e., a11phishes vs. allphishes).

• Use multifactor authentication. Multifactor authentication reducesthe possibility that someone can hack into your account using onlyyour password.

• Keep antimalware software and system patches up to date. If you dofall for a phishing scam, antimalware software can help preventinfection by a virus or other malicious software. Also, ensuringpatches are up to date reduces the possibility that malicious softwarecould exploit known vulnerabilities of your computer’s or mobiledevice’s operating system and applications.

• Back up your data. In the event that malicious software, such asransomware, does get installed on your computer, you want to makesure you have a current backup of your data. Malicious software thatdeletes your data or holds it for ransom may not be retrievable.Robust, frequent backups may be the only way to restore data in theevent of a successful attack. Also, be sure to test backups by restoringdata from time to time to ensure that the backup strategy you have inplace is effective.

Many people telework, which is the ability for an organization’s employ-ees and contractors to conduct work from locations other than theorganization’s facilities. Teleworkers use various devices, such as desktopand laptop computers, cell phones, and personal digital assistants (PDAs),to read and send email, access Web sites, review and edit documents, andperform many other tasks. Most teleworkers use remote access, which isthe ability of an organization’s users to access its nonpublic computingresources from locations other than the organization’s facilities. Organi-zations have many options for providing remote access, including virtualprivate networks, remote system control, and individual applicationaccess (e.g., Web-based email).

Security

Telework andsecurity

52N 8/18


Before allowing telework, ensure that users understand your organi-zation’s policies and requirements.Remind teleworkers of the organization’s policies and requirements tohelp provide adequate security to protect the organization’s information.Sensitive information stored on, or sent to or from, external teleworkdevices needs to be protected so that malicious parties can neither accessnor alter it. An unauthorized release of sensitive information could dam-age the public’s trust in an organization, jeopardize the mission of anorganization, or harm individuals if their personal information has beenreleased.

Make sure all teleworkers’ devices on their wired and wireless homenetworks are properly secured, as well as the home networks them-selves.An important part of telework and remote access security is applyingsecurity measures to the personal computers (PCs) and consumer devicesusing the same wired and wireless home networks to which the teleworkdevice normally connects. If any of these other devices become infectedwith malware or are otherwise compromised, they could attack thetelework device or eavesdrop on its communications. Teleworkers shouldalso be cautious about allowing others to place devices on the teleworkers’home networks, in case one of these devices is compromised. This may besomething to address in telework policies.

You may want to apply security measures to home networks to whichteleworkers’ devices normally connect. One example of a security mea-sure is using a broadband router or firewall appliance to preventcomputers outside the home network from initiating communicationswith telework devices on the home network. Another example is ensuringthat sensitive information transmitted over a wireless home network isadequately protected through strong encryption.

Consider the security state of a third-party device before using it fortelework.Teleworkers often want to perform remote access from third-partydevices, such as checking email from a kiosk computer at a conference.However, teleworkers typically do not know if such devices have beensecured properly or if they have been compromised. Consequently, ateleworker could use a third-party device infected with malware that stealsinformation from users (e.g., passwords or email messages).

Many organizations either forbid third-party devices to be used for remoteaccess or permit only limited use, such as for Web-based email.Teleworkers should consider who is responsible for securing a third-partydevice and who can access the device before deciding whether or not touse it. Whenever possible, teleworkers should not use publicly accessiblethird-party devices for telework, and teleworkers should avoid using

Security

2/14 53


anythird-party devices for performing sensitive functions or accessingsensitive information.

Secure a telework PC.If you have teleworkers who use their own desktop or laptop PCs fortelework, their operating systems and primary applications should besecured.

• Use a combination of security software, such as antivirus andantispyware software, personal firewalls, spam and Web content fil-tering, and popup blocking, to stop most attacks, particularlymalware;

• Restrict who can use the PC by having a separate standard useraccount for each person, assigning a password to each user account,using the standard user accounts for daily use, and protecting usersessions from unauthorized physical access;

• Ensure that updates and patches are regularly applied to the operatingsystem and primary applications, such as Web browsers, email clients,instant messaging clients, and security software;

• Disable unneeded networking features on the PC and configure wire-less networking securely;

• Configure primary applications to filter content and stop other activitythat is likely to be malicious;

• Install and use only known and trusted software;

• Configure remote access software based on the organization’s require-ments and recommendations; and

• Maintain the PC’s security on an ongoing basis, such as changingpasswords regularly and checking the status of security softwareperiodically.

Secure consumer devices used for telework.Awide variety of consumer devices exists, such as cell phones, PDAs, andvideo game systems, and security features available for these devices alsovary widely. Some devices offer only a few basic features, whereas othersoffer sophisticated features similar to those offered by PCs. This does notnecessarily imply that more security features are better; in fact, manydevices offer more security features because the capabilities they provide(e.g., wireless networking, instant messaging) make them more suscep-tible to attack than devices without these capabilities. Generalrecommendations for securing telework devices are as follows:

• Limit access to the device, such as setting a personal identificationnumber (PIN) or password and automatically locking a device after anidle period;

• Disable networking capabilities, such as Bluetooth, except when theyare needed;

Security

54 2/14


• Use additional security software, such as antivirus software and per-sonal firewalls, if appropriate;

• Ensure that security updates, if available, are acquired and installed atleast monthly, or more frequently; and

• Configure applications to support security (e.g., blocking activity thatis likely to be malicious).

Secure information.Since the information is the focus of privacy and security measures, it isbeneficial to look at ways in which it can be at risk of access fromunwanted sources and how to minimize those risks.

• Use physical security controls for telework devices and removablemedia. For example, you might require that laptops be physicallysecured using cable locks when used in hotels, conferences, and otherlocations where third parties could easily gain physical access to thedevices. You may also have physical security requirements for papersand other non-computer media that contain sensitive information andare taken outside the organization’s facilities.

• Encrypt files stored on telework devices and removable media such asCDs and flash drives. This prevents attackers from readily gainingaccess to information in the files. Many options exist for protectingfiles, including encrypting individual files or folders, volumes, andhard drives. Generally, using an encryption method to protect filesalso requires the use of an authentication mechanism (e.g., password)to decrypt the files when needed.

• Ensure that information stored on telework devices is backed up. Ifsomething adverse happens to a device, such as a hardware, software,or power failure or a natural disaster, the information on the devicewill be lost unless it has been backed up to another device or remov-able media. Some organizations permit teleworkers to back up theirlocal files to a centralized system (e.g., through VPN remote access),whereas other organizations recommend that their teleworkers per-form local backups (e.g., burning CDs, copying files onto removablemedia). Teleworkers should perform backups, following your orga-nizations’ guidelines, and verify that the backups are valid andcomplete. It is important that backups on removable media be securedat least as well as the device that they backed up. For example, if acomputer is stored in a locked room, then the media also should be ina secured location; if a computer stores its data encrypted, then thebackups of that data should also be encrypted.

• Ensure that information is destroyed when it is no longer needed. Forexample, files should be removed from a computer scheduled to beretired or from a third-party computer that is temporarily used for

Security

2/14 55


remote access. Some remote access methods perform basic informa-tion cleanup, such as clearing Web browser caches that mightinadvertently hold sensitive information, but more extensive cleanuptypically requires using a special utility, such as a disk-scrubbingprogram specifically designed to remove all traces of informationfrom a device. Another example of information destruction is shred-ding telework papers containing sensitive information once the papersare no longer needed.

• Erase information from missing cell phones and PDAs. If a cell phoneor PDA is lost or stolen, occasionally its contents can be erasedremotely. This prevents an attacker from obtaining any informationfrom the device. The availability of this service depends on thecapabilities of the product and the company providing network ser-vices for the product.

Forgetting the importance of safeguarding Internet-accessible PHI can bea costly mistake for a covered entity. A health care provider found this outthe hard way when it settled with the U.S. Department of Health andHuman Services (HHS) for $100,000.

The entity, a provider of surgery physician services, reportedly postedclinical and surgical appointments for its patients on a publicly accessibleInternet-based calendar. A report detailing this practice caught the eye ofthe HHS, which investigated. The investigation found the health careprovider had implemented few policies and procedures to comply with theHIPAA privacy and security rules, and had limited safeguards in place toprotect patients’ electronic protected health information (EPHI), accord-ing to the HHS.

In addition to posting PHI on a public Internet-based calendar, the pro-vider reportedly also made the following mistakes:

• Transmitted EPHI from a company Internet-based email account toemployees’ personal Internet-based email accounts on a daily basisfor four years;

• Failed to identify a security official;

• Failed to conduct an accurate and thorough assessment of the potentialrisks and vulnerabilities to the confidentiality, integrity, and availabil-ity of patient EPHI; and

• Failed to obtain business associate agreements from the Internet-based calendar and email provider certifying that these entities wouldappropriately safeguard the EPHI received from the health careprovider.

In addition to paying the $100,000 in the settlement, the health careprovider entered into a corrective action plan with the HHS.

Security

56 2/14


Adequately protect remote access-specific authenticators.

Teleworkers need to ensure that they adequately protect their remoteaccess-specific authenticators, such as passwords, personal identificationnumbers (PINs), and hardware tokens. Such authenticators should not bestored with the telework computer, nor should multiple authenticators bestored with each other (e.g., a password or PIN should not be written onthe back of a hardware token).

Beware social engineering.

Teleworkers should be aware of how to handle threats involving socialengineering, which is a general term for attackers trying to trick peopleinto revealing sensitive information or performing certain actions, such asdownloading and executing files that appear to be benign but are actuallymalicious. For example, an attacker might approach a teleworker in acoffee shop and ask to use the computer for a minute or offer to help theteleworker with using the computer.

Teleworkers should also be wary of any requests they receive that couldlead to a security breach or to the theft of a telework device.

Know how to handle a security breach.

If a teleworker suspects that a security breach (including loss or theft ofmaterials) has occurred involving a telework device, remote access com-munications, removable media, or other telework components, theteleworker should immediately follow your organization’s policy andprocedures for reporting the possible breach. This is particularly impor-tant if any of the affected telework components contain sensitiveinformation such as EPHI, so that the potential impact of a security breachis minimized.

For more information on breaches, see the ProtectedHealth Information chapter.

There have been a number of security incidents related to the use oflaptops, other portable and/or mobile devices, and external hardware thatstore, contain, or are used to access electronic protected health informa-tion (EPHI) under the responsibility of a HIPAA-covered entity. Allcovered entities are required to be in compliance with the HIPAA securityrule, which includes, among its requirements, reviewing and modifying,where necessary, security policies and procedures on a regular basis. Thisis particularly relevant for organizations that allow remote access to EPHIthrough portable devices or on external systems or hardware not owned ormanaged by the covered entity.

Security

Mobiletechnology

2/16 57


The main objective of this information is to reinforce some of the waysyou may protect EPHI when it is accessed or used outside of yourorganization’s physical purview. It sets forth strategies that may be rea-sonable and appropriate for your organization if you conduct some of yourbusiness activities through:

1. The use of portable media/devices (such as USB flash drives) thatstore EPHI; and

2. Offsite access or transport of EPHI via laptops, personal digitalassistants (PDAs), home computers, or other noncorporateequipment.

The Centers for Medicare & Medicaid Services (CMS) has delegatedauthority to enforce the HIPAA security standards, and may rely upon thisinformation in determining whether or not the actions of a covered entityare reasonable and appropriate for safeguarding the confidentiality, integ-rity, and availability of EPHI, and it may be given deference in anyadministrative hearing pursuant to the HIPAA enforcement rule.

The kinds of devices and tools about which there is growing concernbecause of their vulnerability include the following examples: laptops;home-based personal computers; PDAs and smartphones; hotel, library,or other public workstations and wireless access points (WAPs); USBflash drives and memory cards; floppy disks; CDs; DVDs; backup media;email; smart cards; and remote access devices (including security hard-ware).

If members of your plan workforce might be using mobile devices in theirwork, the plan must comply with the HIPAA privacy and security rules toprotect and secure health information, even when using mobile devices.Therefore, you are to develop and implement mobile device proceduresand policies that will protect PHI. Here are some steps to consider.

1. Decide whether mobile devices will be used to access, receive, trans-mit, or store protected health information or used as part of yourorganization’s internal networks or systems.

Understand the risks to your organization before you decide to allowthe use of mobile devices. Risks (threats and vulnerabilities) can varybased on the mobile device and its use. Some risks might include:

• A lost mobile device;

• A stolen mobile device;

• Inadvertently downloading viruses or other malware;

• Unintentional disclosure to unauthorized users when sharingmobile devices with friends, family, and/or coworkers; or

• Using an unsecured Wi-Fi network.

Security

Managing mobiledevices

58 2/16


Visit JJKeller.com now to order or get more details onthis manual written by our safety & compliance experts.

Convenient Update Service subscriptions are also availableto help you make sure your information is always up to date.

NOW AVAILABLE -Access Your Manual OnlineWith our NEW Online Edition options, you can access this manual’s contentfrom any browser or mobile device. You’ll get:

• Search capabilities for easy navigation and fast research• Bookmarks to help you to quickly flip to sections you frequently use• Continuous updates to ensure you always have the most current info• Notifications via homepage and email to help you stay on top of changes• Easy access to ask questions of our subject matter experts

Want to Keep Reading?

TM

@jjkeller jjkeller.com/LinkedIn google.com/+jjkeller contact us

Connect With Us

Order Now to Keep Reading!

Documents

This publication updates in February/August · 2018. 9. 1. · This manual is designed with group health care plan sponsors in mind, and includes the HIPAA regu- lations, sample forms,